LCORE-1888: Fixed CVE in python-multipart package

[tisnik]

Description

LCORE-1888: Fixed CVE in python-multipart package

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-1888

Summary by CodeRabbit

• Chores
  • Updated python-multipart dependency to version 0.0.26.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5cd30019-5a88-4474-abcc-d4880439e46d

📥 Commits

Reviewing files that changed from the base of the PR and between 4b7396d and a6a9098.

📒 Files selected for processing (1)

• requirements.hashes.source.txt

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: build-pr
• GitHub Check: mypy
• GitHub Check: radon
• GitHub Check: unit_tests (3.13)
• GitHub Check: Pylinter
• GitHub Check: integration_tests (3.13)
• GitHub Check: integration_tests (3.12)
• GitHub Check: unit_tests (3.12)
• GitHub Check: Pyright
• GitHub Check: E2E: server mode / ci / group 3
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request

🔇 Additional comments (1)

requirements.hashes.source.txt (1)

889-891: Confirm CVE fix is valid; note breaking change in custom FormParser.

Version 0.0.26 correctly fixes CVE-2026-40347, a denial of service vulnerability in multipart form parsing. Hashes verified against PyPI. However, version 0.0.25 removed custom FormParser classes (#257), which is a breaking change. Verify the codebase or downstream dependencies do not rely on custom FormParser implementations.

---

Walkthrough

Updated the pinned dependency python-multipart from version 0.0.24 to 0.0.26 in the requirements file, with corresponding SHA256 hash values updated to match the new version.

Changes

Cohort / File(s)	Summary
Dependency Update requirements.hashes.source.txt	Bumped python-multipart from 0.0.24 to 0.0.26 and replaced associated SHA256 hashes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating python-multipart to fix a CVE, which matches the raw summary showing version 0.0.24→0.0.26 update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}